Researchers call this a flaw or bug. However upon closer look this seems to be an overlooked design and functionality issue. Regardless, until recently WhatsApp was leaking users’ phone numbers and profile photos through a “flaw” in the app. Security researchers have discovered that due to a problem with the app’s rate limiting in the contact search tool, someone may have deleted the phone numbers of almost all WhatsApp users and the profile photos of some users without anyone knowing.

A team of researchers from the University of Vienna managed to extract 3.5 billion phone numbers using a “simple” technique using WhatsApp’s contact-search system.

Researchers reported that the flaw was in the mechanism that checks whether a phone number is registered on WhatsApp or not. Instead of limiting how many questions a user could ask, WhatsApp reportedly allowed millions of checks per hour without any rate limits or warnings. By automating this process, the researchers were able to systematically test vast arrays of phone numbers and collect not only confirmation that an account existed on WhatsApp, but also profile photos and status text associated with many of those accounts. This flaw allowed researchers to create a massive global database of 3.5 billion active WhatsApp accounts. He warned that if the exploit had fallen into the wrong hands, it could have led to “the largest data leak in history”.

Researchers have warned that this weakness has existed in WhatsApp since at least 2017, although Meta had been informed of similar risks earlier. WhatsApp’s contact-search feature, designed to sync users’ phones’ address books and make it easier to find people, also inadvertently opened the door to mass harvesting of user data, according to Austrian researchers.

Meta acknowledged the “flaw”, although indicated that it was a design decision that was overlooked. In a statement to Wired that reported on the Austrian researchers’ findings, Nitin Gupta, WhatsApp’s vice president of engineering, said, “This study was helpful in stress-testing and confirming the immediate efficacy of the new defenses (anti-scraping). We found no evidence of malicious actors abusing this vector. As a reminder, user messages remain private and secure due to WhatsApp’s default end-to-end encryption, and no one Non-public data was not accessible to researchers.”

In other words: the meta is saying that yes, the “flaw” did exist. But this has now been fixed as now Meta has reportedly put a rate limit on how many times one can query WhatsApp data to find out whether a phone number exists on the app or not. The company also highlights that only public data was exposed as it considers phone numbers or public profile photos as publicly available data.

Meanwhile, researchers reported that by using WhatsApp Web as the interface, they were able to send massive contact-search requests, scraping millions of entries every hour. They noted that in about 57 percent of the accounts identified, profile photos were accessible, and in 29 percent, profile text was visible. What’s even more worrying is that this technology also works in countries where WhatsApp is banned, including China, Iran, Myanmar and North Korea, potentially putting people at risk as it could lead to information on active WhatsApp users being leaked.

After realizing the seriousness of the flaw, the researchers say they reported it to Meta and deleted the database after the study ended. The report said it took Meta about six months to fix the app and implement the rate cap.